Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
Sigma rule (View on GitHub)
1title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
2id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
3status: test
4description: |
5 Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
6 Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
7references:
8 - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
9 - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
10 - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
11author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)
12date: 2019-01-16
13modified: 2023-03-02
14tags:
15 - attack.discovery
16 - attack.t1087.001
17 - attack.t1087.002
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith:
24 - '\net.exe'
25 - '\net1.exe'
26 - OriginalFileName:
27 - 'net.exe'
28 - 'net1.exe'
29 # Covers group and localgroup flags
30 selection_group_root:
31 CommandLine|contains:
32 - ' group '
33 - ' localgroup '
34 selection_group_flags:
35 CommandLine|contains:
36 # Add more groups for other languages
37 - 'domain admins'
38 - ' administrator' # Typo without an 'S' so we catch both
39 - ' administrateur' # Typo without an 'S' so we catch both
40 - 'enterprise admins'
41 - 'Exchange Trusted Subsystem'
42 - 'Remote Desktop Users'
43 - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
44 - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
45 - ' /do' # short for domain
46 filter_group_add:
47 # This filter is added to avoid the potential case where the point is not recon but addition
48 CommandLine|contains: ' /add'
49 # Covers 'accounts' flag
50 selection_accounts_root:
51 CommandLine|contains: ' accounts '
52 selection_accounts_flags:
53 CommandLine|contains: ' /do' # short for domain
54 condition: selection_img and ((all of selection_group_* and not filter_group_add) or all of selection_accounts_*)
55falsepositives:
56 - Inventory tool runs
57 - Administrative activity
58level: medium
References
Related rules
- BloodHound Collection Files
- HackTool - Bloodhound/Sharphound Execution
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ScriptBlock
- Suspicious Use of PsLogList